Portforward not working to access LAN machine from WAN

vermapraveen · February 11, 2021, 1:41pm

so I tried comparing tcpdump of webserver of when it's working with LAN vs when it's coming from WAN. I must say I have not fully understood, but adding it here for some expert eyes:

webserver tcpdump when it WORKS withing lan network

7:28:28.727011 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 57681, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [S], cksum 0x4c8a (correct), seq 217028529, win 29200, options [mss 1460,sackOK,TS val 901538374 ecr 0,nop,wscale 7], length 0
07:28:28.727123 webserver-mac > notsure-what-mac, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.30.177.7000 > 10.20.30.1.57488: Flags [S.], cksum 0x5108 (incorrect -> 0xfb1d), seq 1846274689, ack 217028530, win 65160, options [mss 1460,sackOK,TS val 1488786328 ecr 901538374,nop,wscale 7], length 0
07:28:28.727900 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 57682, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [.], cksum 0x278d (correct), ack 1, win 229, options [nop,nop,TS val 901538375 ecr 1488786328], length 0
07:28:28.728002 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 147: (tos 0x0, ttl 64, id 57683, offset 0, flags [DF], proto TCP (6), length 133)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [P.], cksum 0x2fb9 (correct), seq 1:82, ack 1, win 229, options [nop,nop,TS val 901538375 ecr 1488786328], length 81
07:28:28.728055 webserver-mac > notsure-what-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 16452, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.177.7000 > 10.20.30.1.57488: Flags [.], cksum 0x5100 (incorrect -> 0x2623), ack 82, win 509, options [nop,nop,TS val 1488786329 ecr 901538375], length 0
07:28:28.732851 webserver-mac > notsure-what-mac, ethertype IPv4 (0x0800), length 2427: (tos 0x0, ttl 64, id 16453, offset 0, flags [DF], proto TCP (6), length 2413)
    10.20.30.177.7000 > 10.20.30.1.57488: Flags [P.], cksum 0x5a39 (incorrect -> 0x9999), seq 1:2362, ack 82, win 509, options [nop,nop,TS val 1488786334 ecr 901538375], length 2361
07:28:28.733151 webserver-mac > notsure-what-mac, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 16455, offset 0, flags [DF], proto TCP (6), length 57)
    10.20.30.177.7000 > 10.20.30.1.57488: Flags [P.], cksum 0x5105 (incorrect -> 0xd8bc), seq 2362:2367, ack 82, win 509, options [nop,nop,TS val 1488786335 ecr 901538375], length 5
07:28:28.733779 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 57684, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [.], cksum 0x2172 (correct), ack 1449, win 251, options [nop,nop,TS val 901538381 ecr 1488786334], length 0
07:28:28.733823 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 57685, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [.], cksum 0x1dca (correct), ack 2362, win 274, options [nop,nop,TS val 901538381 ecr 1488786334], length 0
07:28:28.733835 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 57686, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [.], cksum 0x1dc4 (correct), ack 2367, win 274, options [nop,nop,TS val 901538381 ecr 1488786335], length 0
07:28:28.734897 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 57687, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [F.], cksum 0x1dc2 (correct), seq 82, ack 2367, win 274, options [nop,nop,TS val 901538382 ecr 1488786335], length 0
07:28:28.736527 webserver-mac > notsure-what-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 16456, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.177.7000 > 10.20.30.1.57488: Flags [F.], cksum 0x5100 (incorrect -> 0x1cd3), seq 2367, ack 83, win 509, options [nop,nop,TS val 1488786338 ecr 901538382], length 0
07:28:28.736995 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 57688, offset 0, flags [DF], proto TCP (6), length 52)
    10.20.30.1.57488 > 10.20.30.177.7000: Flags [.], cksum 0x1dbc (correct), ack 2368, win 274, options [nop,nop,TS val 901538384 ecr 1488786338], length 0

webserver tcpdump when it DOESN'T WORKS from WAN after port forwarding

07:15:52.004787 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xfee2 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489290663 ecr 0,sackOK,eol], length 0
07:15:53.007260 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xfaf9 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489291664 ecr 0,sackOK,eol], length 0
07:15:54.006700 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xf711 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489292664 ecr 0,sackOK,eol], length 0
07:15:55.009713 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xf329 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489293664 ecr 0,sackOK,eol], length 0
07:15:56.011520 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xef41 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489294664 ecr 0,sackOK,eol], length 0
07:15:57.011657 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xeb59 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489295664 ecr 0,sackOK,eol], length 0
07:15:59.019717 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xe389 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489297664 ecr 0,sackOK,eol], length 0
07:16:03.019508 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xd3e8 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489301665 ecr 0,sackOK,eol], length 0
07:16:11.026222 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61765 > 10.20.30.177.7000: Flags [S], cksum 0xb4a7 (correct), seq 309209358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489309666 ecr 0,sackOK,eol], length 0

vermapraveen · February 11, 2021, 1:51pm

i observe, few options are missing/ not same values. Can this because of some port forwarding setting?

trendy · February 11, 2021, 2:13pm

No, it cannot be from that, DNAT is changing the destination IP.
Check your webserver that it is not ignoring requests from IPs outside its subnet.
You can also do an SNAT to verify that:

uci add firewall nat
uci set firewall.@nat[-1].dest_port='7000'
uci set firewall.@nat[-1].src='wan'
uci set firewall.@nat[-1].name='test 7000'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].dest_ip='10.20.30.177'
uci set firewall.@nat[-1].snat_ip='10.20.30.1'
uci add_list firewall.@nat[-1].proto='tcp'
uci add_list firewall.@nat[-1].proto='udp'
uci commit firewall
service firewall restart

attila1 · February 11, 2021, 5:01pm

@vermapraveen ,

If I understand right your point 1 (routes on Ubuntu) the traffic to 172.17/16 network will be forwarded via interface docker and not enp0s25.
First, can you remove that route?

If it will solve the issue you can check Docker later on.

skreyda · February 11, 2021, 7:29pm

OpenWRT router LAN - 10.20.30.1
OpenWRT router WAN - 172.17.2.80
website hosted in LAN at 10.20.30.177:7000
==
The setting is correct.
Request from WAN [172.17.2.80] requires WAN IP address and port:
curl http://172.17.2.80:7000

vermapraveen · February 12, 2021, 2:31am

wow, this was it! worked as soon I removed docker route. thanks trendy attila1 vgaetera for not giving up on me. heck of a learning for myself also. Thanks everyone.

system · February 22, 2021, 2:32am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.